Merge pull request #407 from tboerger/feat/gateway-rule-name

feat: add optional name to httproute rules

Author: pierluigilenoci

helm/oauth2-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 10.5.0
+version: 10.6.0
 apiVersion: v2
 appVersion: 7.15.2
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -31,11 +31,7 @@ kubeVersion: ">=1.16.0-0"
 annotations:
   artifacthub.io/changes: |
     - kind: added
-      description: >
-        Add deploymentLabels to allow setting deployment specific labels.
-        Add tpl support for ingress.labels, ingress.extraPaths and nodeSelector. This is a
-        behavior change: any values containing `{{ ... }}` will now be evaluated as templates.
-        To keep literal `{{` sequences, escape them (for example, use `{{"{{"}}`).
+      description: Added name attribute for HTTPRoute rules
       links:
         - name: GitHub PR
-          url: https://github.com/oauth2-proxy/manifests/pull/400
+          url: https://github.com/oauth2-proxy/manifests/pull/407

helm/oauth2-proxy/README.md

@@ -361,7 +361,8 @@ gatewayApi:
   hostnames:
     - oauth.example.com
   rules:
-    - matches:
+    - name: oauth2
+      matches:
         - path:
             type: PathPrefix
             value: /oauth2
@@ -380,6 +381,31 @@ gatewayApi:
 If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service.
 If you don't specify a sectionName, the rules will be applied to all listeners of the referenced Gateway.
 
+### Targeting Rules with Policies via `sectionName`
+
+The optional `name` field on each rule (e.g. `rules[].name: oauth2`) lets policies such as `SecurityPolicy`, `BackendTrafficPolicy`, or any other Gateway API policy that supports `sectionName` target a specific HTTPRoute rule rather than the entire route. Example:
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: oauth2-proxy-policy
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: oauth2-proxy
+      sectionName: oauth2          # matches rules[].name above
+  jwt:
+    providers:
+      - name: example
+        issuer: https://issuer.example.com
+        remoteJWKS:
+          uri: https://issuer.example.com/.well-known/jwks.json
+```
+
+Without a rule `name`, policies cannot target individual rules and must apply to the whole HTTPRoute.
+
 ## TLS Configuration
 
 See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/).

helm/oauth2-proxy/ci/gateway-api-name.yaml

@@ -0,0 +1,16 @@
+# Gateway API configuration with rule name
+gatewayApi:
+  enabled: true
+  gatewayRef:
+    name: test-gateway
+  rules:
+    - name: service
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+    - name: metrics
+      matches:
+        - path:
+            type: PathPrefix
+            value: /metrics

helm/oauth2-proxy/templates/httproute.yaml

@@ -30,7 +30,10 @@ spec:
   rules:
   {{- if .Values.gatewayApi.rules }}
   {{- range .Values.gatewayApi.rules }}
-  - matches:
+  - {{- if .name }}
+    name: {{ .name | quote }}
+    {{- end }}
+    matches:
     {{- if .matches }}
     {{- toYaml .matches | nindent 4 }}
     {{- else }}

helm/oauth2-proxy/values.yaml

@@ -361,7 +361,8 @@ gatewayApi:
   gatewayRef: {}
   # HTTPRoute rule configuration
   # rules:
-  # - matches:
+  # - name: service        # optional: enables targeting by sectionName in policies
+  #   matches:
   #   - path:
   #       type: PathPrefix
   #       value: /